Threats & Defenses
10 Tips for Managing Security in the CloudBusinesses Concerned About Data Security in the Cloud Should Consider These Recommendations By: Dell SecureWorks
Consider These Tips and Make Sure You Address Them With Your Cloud Vendor
- Encrypt your data. In order to protect the confidentiality of any sensitive data, you should encrypt it. There are a variety of good encryption technologies available so it is not really a challenge to do encryption. The real issue is who has the encryption keys. Businesses should limit access to themselves and trusted third parties. Consider splitting the duties of holding the data (to the cloud provider) and holding the keys to the data (to your organization, as well as some other trusted third party).
- Ensure that all users are properly authenticated. Think of all the people who might have access to your data within your company and with the cloud provider and make sure they're the right people. Passwords are a very weak form of authentication management. Rather, companies should use a two factor approach to their security – commonly called “2FA” (2-factor authentication), usually something you know, like a password, and something you have, such as an electronic token or fob, or a code generated on your smartphone.
- Set proper levels of authorization. If everyone who had access to your cloud had the same level of access to the data that would be extremely unwise and risky. This is related to what is called the “principle of least privilege,” which says, “give people only the access they need to do their jobs and not one bit more.” Setting up and managing these levels should be offered by the cloud provider. It's not simple, but a good cloud provider using modern technologies and the right technologies will be able to support this.
- Monitor and track all user activity. Providers need to understand what is happening, not just what you thought was happening. In other words, written policies and processes describe what is supposed to happen. But actually looking at an audit trail of events as recorded from the cloud’s systems tells you what is really going on. You need to monitor and record all these transactions. Review them regularly to make sure the controls you have in place are actually working. It's not strictly necessary that the customer see it all the time, but the cloud provider needs to. In case something does go wrong or a breach occurs, monitoring this kind of activity is critical for understanding where and when the breach occurred and what should be done about it.
- Ensure compliance to laws, regulations and guidelines as required by your particular business, industry and geography. Compliance is straightforward in its intent, but complex in its execution. For one thing, the law has not actually caught up to cloud yet. Industry compliance and privacy laws are constantly changing, and customers and cloud providers need to be aware of that. Hire a third party consultant to ensure that your cloud is compliant, rather than relying solely on the cloud provider. If your business gets into legal trouble, the blame is on your organization, not the cloud vendor. You can shift accountability to the cloud provider, but you cannot shift your legal responsibility.
- Verify that when you delete data in the cloud, it's actually deleted. Data encryption is the best way to combat this problem. Then, even if your data isn't necessarily completely gone, at least it can't be read. Have the cloud provider give you detailed technical and operational information about how data is deleted and what happens to backed-up data. This can also help your organization with legal liability issues, since having specifications in the contract of what happens to deleted data will show due diligence if it's ever questioned.
- Confirm that you own the data that resides in the cloud. You need to have a clear legal understanding of who owns the data that you are putting in the cloud, in terms of intellectual property and data privacy concerns. This is especially important when hosting third party data, such as your organization's customer information. The laws can differ geographically. Data privacy laws can restrict the mobility of data; for example, you have multiple cloud data centers, but if they are in different countries, you may not be able to replicate data from one to another.
- Establish service level agreements (SLAs) that specify data and system availability. The strength of any agreement with a cloud provider comes down to what's in the SLA. The agreement should be as broad as possible in what the provider will cover, but it also needs to be very specific on definitions and penalties. For example, if a provider offers an organization compensation for downtime, the contract should specify whether this includes expected downtime, such as scheduled maintenance. Even more important is whether that compensation comes close to the real damage an organization would suffer in the worst case scenario. It's important to remember that there's flexibility in these agreements. The larger the deal, the more willing a cloud provider usually is to negotiate.
- Make sure your cloud vendor has a viable disaster recovery plan in place. Have a copy of the provider's disaster recovery and business continuity plan. And don't just make sure there's a plan - make sure it's a good plan. Organizations should ensure that their cloud providers have replicated data centers, for example, and can guarantee recovery within a reasonable timeframe. No plan has any value at all unless it's tested. Find out how a cloud provider tests its recovery plan and how often.
- Have an exit strategy. An organization's cloud services agreement should not be like the “Hotel California". Once you “check in” with a provider, you should be able to get out. The day to start thinking about that is the day you start talking to your current potential cloud provider. It's almost like an apartment lease - organizations should consider what to do if they are unhappy and want to move to another cloud provider. This needs to be understood up front and stated clearly in the contract.